Lucene search

K
osvGoogleOSV:USN-6278-2
HistoryAug 10, 2023 - 7:34 p.m.

dotnet6, dotnet7 vulnerabilities

2023-08-1019:34:11
Google
osv.dev
3
.net
ubuntu
remote code execution
denial of service
cve-2023-35390
cve-2023-38178
cve-2023-38180
kestrel server
http/3

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

8.2 High

AI Score

Confidence

Low

0.008 Low

EPSS

Percentile

81.1%

USN-6278-1 fixed several vulnerabilities in .NET. This update
provides the corresponding updates for Ubuntu 22.04 LTS.

Original advisory details:

It was discovered that .NET did properly handle the execution of
certain commands. An attacker could possibly use this issue to
achieve remote code execution. (CVE-2023-35390)

Benoit Foucher discovered that .NET did not properly implement the
QUIC stream limit in HTTP/3. An attacker could possibly use this
issue to cause a denial of service. (CVE-2023-38178)

It was discovered that .NET did not properly handle the disconnection
of potentially malicious clients interfacing with a Kestrel server. An
attacker could possibly use this issue to cause a denial of service.
(CVE-2023-38180)

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

8.2 High

AI Score

Confidence

Low

0.008 Low

EPSS

Percentile

81.1%